CVE-2026-42212

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2.

CVSS

No CVSS.

References

Link	Resource
https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20
https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d
https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2
https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9
https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9

Configurations

No configuration.

History

11 May 2026, 16:17

Type	Values Removed	Values Added
References	~~() https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9 -~~	() https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9 -

08 May 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-08 22:16

Updated : 2026-05-12 16:43

NVD link : CVE-2026-42212

Mitre link : CVE-2026-42212

CVE.ORG link : CVE-2026-42212

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-611

Improper Restriction of XML External Entity Reference

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

{"id": "CVE-2026-42212", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-08T22:16:32.243", "references": [{"url": "https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20", "source": "security-advisories@github.com"}, {"url": "https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d", "source": "security-advisories@github.com"}, {"url": "https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9", "source": "security-advisories@github.com"}, {"url": "https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-776"}]}], "descriptions": [{"lang": "en", "value": "SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2."}], "lastModified": "2026-05-12T16:43:27.870", "sourceIdentifier": "security-advisories@github.com"}